With 2017 shaping up to be the year of the Internet of Things, we look at the implications for business security.
One of the world’s biggest technology shows, CES is held annually in January in Las Vegas – which makes it a pretty good way of charting the technology roadmap for the rest of the year. And judging by CES 2017, this will be the year of Internet of Things (IoT) and connected devices.
At CES 2017, we were invited to imagine a connected world where you wake up in the morning on a bed that automatically adjusted to your shape during the night, or raised your partner's head slightly because it noticed they were snoring. A coffee maker sits on a kitchen bench, ready with your morning caffeine fix just the way you like it. The smart toaster has your breakfast on the go, as your smart hairbrush berates your brushing technique while you get ready for work. Before you leave the house, you grab your anti-pollution smart scarf and yell at your AI-driven vacuum cleaner to get to work.
The event showed us there's a device to make almost every part of our lives "smarter", and, undeniably, these products have the potential to make a positive impact on daily life. But as we invite an increasing number of connected devices into our home, we could be creating more and more doors to our personal data, in areas they could never have existed previously.
The harsh reality is that, for these devices to work, a degree of personal data must be handed over. For example, to use the Sleep Number 360 bed developed by Simba, you're required to use a mobile app running a personal profile that holds your name, email address and any other data you decide to provide. Soon, a date of birth could be required just to have a good night's sleep.
Using IoT devices to create massive botnets
If 2016 has taught us anything, it's that there are no guarantees your data will be safe. Yahoo, Dropbox, Gmail and Hotmail are just a few of the recent hacks that collectively led to the potential loss of billions of user details. But with the idyllic example hinted at by CES 2017, the sheer volume of personal data collectively locked away could be huge, all contained within worryingly insecure smart devices.
Aside from the problems of data theft, the relentless pursuit of a "connected everything" facilitated a surge in the number of distributed-denial-of-service (DDoS) attacks against businesses in 2016. IoT security is still substantially lacking and, thanks to a general use of default login credentials and a lack of knowledge or responsibility on the part of the user, hackers have been able to exploit the collective bandwidth of IoT devices to create massive armies of botnets, capable of bombarding single targets with cripplingly high volumes of traffic. DDoS attacks like these are worryingly simple, as they don't require a network breach; instead, they use code and credentials that are openly available online.
As the number of IoT devices increases in our homes, the bigger the gold mine gets. In 2016 we saw the deployment of the Mirai botnet, resulting in a co-ordinated assault on Dyn servers and a massive internet outage affecting the likes of Netflix, Reddit and Twitter. These attacks were some of the largest in industry history, and they're only set to increase as domestic IoT devices become more popular.
Unfortunately, users won't necessarily know if their device is part of a zombie army of infected drones. Unlike PCs, which often slow down or crash when infected, IoT devices are designed to run without human interaction and performance is generally consistent despite the presence of malware.
There are clear differences between the priorities of businesses and the everyday consumer and this, according to Aapo Markkanen, principal analyst at Machina Research, is fully exploited by the consumer tech industry.
"In enterprise space, especially in the industrial IoT, the benefits of investing in security and taking it seriously are fairly tangible for suppliers," says Markkanen. "On the consumer side, the outlook is very different: the customers don't see security a high priority, so the product makers and their suppliers can afford to cut corners."
Many of the security issues facing the IoT industry today are not of a technical nature, argues Markkanen, but simply an inadequate approach to development.
"If you take the high-profile DDoS cases we witnessed last year, then they're not because the hacked products were missing some magic component that would have made them safe. Sometimes it's all because the IoT developers just don't 'get' security... it's simply a cynical gold-rush play to get products to the market as cheap as possible, as fast as possible."
According to research from analyst firm Forrester, more than 500,000 IoT devices (PDF) will suffer a hack in 2017, exploiting open-source components that are rushed to market without adequate security precautions embedded in their firmware, or plans to deliver future updates. Some companies in the consumer market see security as a barrier, because it slows down production and leads to added costs for the developer – chiefly in the form of hiring pricey security professionals – and it can therefore be overlooked.
Hackers take advantage of this complacency, meaning businesses will suffer from relatively simple attacks powered by the consumer IoT – at least until some oversight is put in place.
Thankfully, efforts are now being made to try and conquer the Wild West that has been the IoT landscape over recent years. The Norton Core, developed by Symantec, is an example of a router built from the ground up with IoT in mind, capable of monitoring traffic for unusual activity and able to alert the user of suspected bot hijacks.
But the fact that web-security firms are developing these products highlights the inadequacy of standard broadband routers to handle the security issues facing today's IoT connected homes and businesses. Over the past two years, the US Federal Trade Commission has filed lawsuits against Taiwanese firms Asus and D-Link for failing to adequately protect routers and security cameras from intrusion. These complaints are the latest brought by the commission as part of a campaign to improve practices in the development of connected devices. Asus has since agreed to regular independent security audits for the next 20 years.
No single silver bullet
The thinking around IoT will need to change in the coming years, particularly as we begin to see the effects of the planned obsolescence of connected technology. Perhaps uniquely, connected smart devices will continue to serve a purpose as a useful power source for botnets, as these products typically have a limited lifespan in terms of manufacturer support. How manufacturers continue to ensure older products are secured against newer and more sophisticated attacks is a problem that will likely need to be resolved through some form of statutory regulation.
"There's no single silver bullet to mitigate the long-term DDoS threat that the growth in IoT devices poses to the internet-based economy," says Markkanen.
"Companies with anything at stake in the IoT need to come together and find the right avenues to advocate better developer practices. Given that there's a strong public and national-security interest in the issue, it would be wise for the industry to move proactively and come up with concrete proposals that will help set the right incentives for developers," he adds.
There is little doubt that, as most years, many of the products on display at CES 2017 were concept pieces – a chance for developers to show off some creativity with current technology, rather than devices that will go into production. But what is clear is that the "connected everything" is growing, and reliance on current security and privacy standards is not enough to ensure devices are safe to use for both consumers and businesses in 2017 and beyond.